Suppose that I have a link with an ajax request which use to like a post. It has a data-id attribute which is the post's id like this.
<a href="#" data-id="<?php echo $post->id; ?>">Like</a>
In server side, I use this id to update the like number of this post. I wonder if an user could use the developer tool to change this id, so the data will break. But I don't know the name of this security threat and how to prevent it. Could anyone help me out !? Thank in advance.
Just make sure you are not sending along the user_id for example through js and ajax since that could easily be manipulated to make other users like something they didn't click on.
If you use something like:
if(isset($_POST['like_id'])
{
$like_id = (int) $_POST['like_id'];
// some more checks (ie. does this id exist?), and then:
$user_id = $_SESSION['user_id'];
echo $user_id . " likes post " . $like_id;
}
than all a "malicious" user could achieve, would be to make his account "like" something without going through the actual link.
On the opposite if you use:
$user_id = $_POST['user['user_id']; // don't use this!
than any user could send any user's id and make them "like" something they didn't request which you wouldn't want to allow.
In General
Do not rely on ANY data coming from a POST or GET since that could be easily changed so make sure that id is an integer, make sure that id exists and then after making all necessary checks update your database accordingly.
We are able to change all client side data as an attacker. In this case, attackers can change post id too.
For example; if you getting post id from client then use it for delete/update post. That will be security hole for your application. Because attackers can spoof post id data to something else. Also attackers know that developers usually use auto increment field for this kind of process.
Mitigation:
This kind of security issues could be related to Insecure Direct Object Reference. You can check it out at OWASP web site. But approach is almost same for all applications.
1 - If you want to get/delete/update or anything with post id, you have to be sure that related user has a permission for this operation.
For example:
www.website.com/delete.php?id=1337
When user request this url. Delete.php file will remove post from database. And id value can be spoof by attackers.
Vulnerable Query
DELETE FROM posts Where id = 1337
Secure Query
DELETE FROM posts Where id = 1337 and owner = $_SESSION['user_id']
AS you can see, you have to check out that post owner is same with session owner.
Also, use prepared statements.